Access granted? The legal tightrope in privacy access requests

Customers requesting access to their information is now a routine consequence of operating in a data‑driven economy. Under the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), individuals are entitled to request access to personal information held about them by organisations. While the right of access is fundamental to transparency and accountability, it poses significant legal challenges where personal information is embedded within documents that also contain legally privileged communications, confidential commercial material, internal deliberations, or information about third parties.

Similar rights to access personal information exist under the various information privacy and health records legislation in each State and Territory in Australia. While those rights are like those under the APPs, there are nuances and subtle differences which amplify the risks when navigating and responding to requests for access to information that is governed by both Commonwealth and State-based legislation (eg requests for access to health information held by an APP entity).

Organisations that respond incorrectly to such requests risk regulatory action, litigation exposure, and reputational harm. This article explores the key legal issues that arise under the Privacy Act 1988 (Cth) and APPs when handling access requests for ‘mixed information’ and outlines practical strategies for balancing compliance with lawful protection of sensitive material.

The scope of the right of access

APP 12 establishes a broad right for individuals to access personal information held about them, subject to limited exceptions.

Importantly, the right of access is to personal information - it does not create a general right to access documents or a right to access other kinds of information. This distinction is critical when dealing with files such as emails, file notes, investigation reports, call recordings, complaint files and legal advice, which frequently contain a mix of personal information and other content.

Mixed documents and the obligation to sever

A frequent compliance risk lies in treating documents as indivisible. The Office of the Australian Information Commissioner (OAIC) has made clear that where a document contains both accessible and exempt material, organisations are generally required to provide partial access by redacting or separating the non‑disclosable information.

This means organisations must:

• identify the personal information relating to the requester;

• assess whether any exceptions apply to specific parts of that information; and

• provide access to the remainder unless doing so would be unreasonable or impracticable.

This can be operationally heavy and can increase legal risk if done poorly.

The proper redaction of a document or file is deceptively hard. Digital redaction must be technically reliable; metadata, version history, and hidden text can leak. A single missed line can become an unauthorised disclosure. When errors happen, the organisation can end up with a privacy complaint on two fronts: (1) the requester alleges over‑withholding; (2) a third party alleges unauthorised disclosure.

Only in limited circumstances (eg where redaction would render information meaningless) may an organisation lawfully refuse access to the entirety of a document.

The limited exceptions

The exceptions to giving access include:

1. Third party information: Under APP 12.3(b) access can be withheld where it would unreasonably disclose personal information about another individual. This exception is particularly relevant to complaint handling records, call transcripts, internal emails, and investigation files.

The test is not whether third‑party information is present, but whether its disclosure would be unreasonable in the circumstances.

In determining what is ‘unreasonable’ the guidelines published by the OAIC do not provide a mechanical formula – instead it requires contextual balancing. Factors commonly considered include:

• the sensitivity of the information;

• the expectations of the third party;

• whether the third party has consented, or could practicably be consulted; and

• whether effective de‑identification or redaction is possible.

In practice, this leads to extensive redactions of names, identifiers, and narrative passages that could reasonably identify staff members, complainants, or other customers – which increases processing time and residual risk.

2. Legal professional privilege (LPP): Under APP 12.3(d), access may be refused where giving access would reveal privileged legal communications. This exception is relevant to:

• confidential communications between a lawyer and their client; and

• documents created for the dominant purpose of obtaining legal advice or conducting or preparing for litigation.

Claims of LPP and reliance on the exception must be carefully analysed and defensible.

This analysis, and balancing the competing tensions that arise, can be extremely difficult. For example, the OAIC’s pro‑redaction stance encourages carving out non‑privileged material, but privilege is not always granular. A communication chain may be privileged as a whole, or privilege may attach to context and purpose, so partial disclosure risks revealing legal strategy or waiving privilege.

Over‑claiming privilege is a common cause of adverse findings by privacy regulators.

3. Confidential commercial and operational information: Access may also be refused:

• Under APP 12.3(e) – where access would reveal the intentions of the organisation in relation to negotiations with the individual in such a way as to prejudice those negotiations; and

• Under APP 12.3(j) - where access would reveal evaluative information generated within the organisation in connection with a commercially sensitive decision‑making process.

These exemptions are relevant to information that reveal confidential commercial strategies, internal fraud detection methods, risk assessments or scoring methodologies, or system security features.

To reply on these exemptions, organisations must be able to demonstrate how disclosure would cause harm, rather than relying on generic assertions of sensitivity.

Opinions, evaluations and ‘why’ questions

Customers often use access requests to seek explanations (eg why an account was closed or a complaint was rejected), but the right of access does not require disclosure of reasoning or deliberative processes.

However, internal opinions about an individual may still constitute personal information – eg describing a customer as ‘uncooperative’ or ‘high risk’. Whether such information must be disclosed depends on whether an exception applies (eg third‑party privacy, LPP, or confidentiality).

Procedural obligations and refusal notices

Where access is refused in whole or in part, organisations must comply with procedural safeguards under APP 12. These include:

• providing reasons for refusal (unless unreasonable to do so);

• identifying the applicable refusal grounds; and

• advising the individual of complaint options, including internal review and OAIC complaint rights.

Poorly drafted refusal letters that lack clarity or legal grounding significantly increase the likelihood of regulatory scrutiny. Giving reasons is often a no-win: too little detail risks an inadequate explanation, while too much may expose sensitive information.

Organisations should ensure ‘reason statements’ are carefully drafted so they are transparent yet non‑prejudicial – especially when multiple refusal grounds apply across different parts of the same record set.

Governance and risk management considerations

From a compliance perspective, access requests should be treated as a governance function, not an ad hoc administrative task. Effective practices include:

• adopting clear frameworks for assessing exceptions and redactions;

• involving legal counsel early where privilege is asserted;

• documenting reasons for withholding access; and

• training staff about keeping records with potential access in mind.

Good record‑keeping (especially in emails and file notes) reduces downstream risk.

A defensible OAIC‑aligned approach typically involves:

• Triage the request early to clarify scope and reduce unnecessary searching.

• Map where information is held (including outsourced platforms) and run documented searches.

• Prioritise redaction before refusing access.

• Use specialist review streams (legal, privacy, compliance) and consolidate outcomes.

• Engineer records for access by separating sensitive material to enable partial release.

Conclusion

Customer access requests present a nuanced legal balancing exercise. While privacy law strongly favours transparency and access, it also recognises legitimate limits designed to protect privilege, confidentiality, and the rights of others. The key legal risk lies not in protecting sensitive information, but in doing so without a principled, granular and well‑reasoned approach.

Organisations that understand the regulatory landscape, carefully dissect mixed documents, apply exceptions narrowly, and document their reasoning are best placed to meet regulatory expectations while preserving their legal and commercial interests.

Author: Michael Cossetto

 

This publication is intended as a source of information only. No reader should act on any matter without first obtaining professional advice.